Privacy Policy

I. Introduction

GameFlow (“we,” “the Company”) is the data controller responsible for the processing of the personal data you provide when using our software platform and associated services.

We are committed to managing your information in a responsible, transparent manner that complies with applicable regulations, including Law No. 8968 on the Protection of the Individual with regard to the Processing of Personal Data of the Republic of Costa Rica, the General Data Protection Regulation (GDPR) of the European Union, and the California Consumer Privacy Act (CCPA/CPRA), as applicable to each user.

This policy applies to all GameFlow users globally and describes what data we collect, how we use it, with whom we share it, and what your rights are.

II. Customer Rights

In compliance with applicable national and international regulations, GameFlow customers have the following rights regarding the processing of their personal data:

2.1. Right to information

You have the right to be informed, clearly and in a timely manner, about what personal data we collect, the purposes for which we process it, and how we protect it. This privacy policy is the primary instrument through which you can exercise this right.

2.2. Right of access

You may request at any time a copy of the personal data GameFlow holds about you, along with information about how it is used. To exercise this right, write to us at team@gameflow.gg. We will respond within a maximum of 5 business days from receipt of your request.

2.3. Right of rectification

If you consider that any of your personal data is inaccurate, incomplete, or out of date, you may request its correction or update by writing to team@gameflow.gg. We will address your request within a maximum of 5 business days.

2.4. Right of erasure

You may request the deletion of your personal data when it is no longer necessary for the purposes for which it was collected, or when you wish to withdraw your consent.

GameFlow may retain your data only when necessary to:

• Comply with a current legal obligation.
• Exercise or defend legal claims.
• Prevent or detect fraudulent activity.
• Complete an ongoing transaction or service that you have requested.

To request the deletion of your data, write to us at team@gameflow.gg. We will respond within a maximum of 5 business days indicating the actions taken or, where applicable, the justification for retaining the data.

2.5. Right to data portability

You may request a copy of your personal data in a structured, commonly used, and machine-readable format (for example, CSV or JSON), so that you can transmit it to another service provider. To exercise this right, write to us at team@gameflow.gg. We will address your request within a maximum of 5 business days.

2.6. Right to restriction of processing

In certain cases, such as when you dispute the accuracy of your data or object to its processing while we evaluate your request, you may ask us to temporarily limit the use of your information. During that period, your data will only be stored and will not be processed for other purposes.

2.7. Right to object to automated decisions

GameFlow may use behavioral analysis tools and automated processes to improve the user experience. You have the right to object to decisions with significant effects on you being taken solely by automated means, without human intervention.

2.8. Withdrawal of consent

You may withdraw at any time the consent you have given us for the processing of your personal data by writing to team@gameflow.gg. The withdrawal will not have retroactive effects on processing previously carried out in accordance with your consent. We will respond within a maximum of 5 business days.

2.9. Right to non-discrimination

GameFlow will not discriminate against or penalize any user for exercising any of the rights described in this section. The exercise of these rights will not affect the quality or availability of the services offered.

III. Data and Its Use

GameFlow collects only the data necessary to provide its services, in accordance with the principle of data minimization established in Art. 6 of Law No. 8968 and Art. 5 of the GDPR.

3.1. Data you provide to us directly

When you create an account or use our services, we collect:

• Registration data: name or username, email address, and encrypted password, when registration is completed through our own form.
• External authentication data: when registration is completed through Google, Apple, or another SSO provider, we receive only the name and email address that the provider shares with us, with your authorization. We do not store your password for those services.
• Profile data: username, profile picture (optional), games linked to the profile, configuration preferences, activity history, bugs, and tickets.
• Payment data: billing information necessary to process subscriptions or payments. Credit and debit card data is processed directly by our certified payment provider, and GameFlow does not store card numbers or sensitive financial data.

3.2. Data we collect automatically

When you use the platform, we automatically collect:

• Technical service data: latency, server performance, response times, error logs, and connection-stability metrics. This data is necessary to ensure the quality of the hosting and matchmaking service.
• Platform usage data: features used, access frequency, dashboard configurations, and aggregated usage patterns. Used exclusively for internal analysis and service improvement.
• Device data: IP address, browser or client type, operating system, and approximate geographic region.

3.3. Purpose of processing

Each piece of data collected has a specific and legitimate purpose:

• Name and email: used to create and manage your account and personalize your experience.
• Authentication data: used to verify the user's identity.
• Profile and usage history: used to personalize the experience, analyze errors, and improve service quality.
• Payment data: used to process subscriptions and billing.
• Performance metrics: to ensure service stability.
• Dashboard usage data: to improve features for developers.
• IP and region: security, fraud detection, and server selection.

3.4. Data we do NOT collect

GameFlow does not collect sensitive data such as racial or ethnic origin, political opinions, religious beliefs, health data, or sexual orientation, in accordance with the prohibition established in Art. 9 of Law No. 8968.

IV. Data Sharing

4.1. General principle

GameFlow does not sell, rent, or trade your personal data to third parties under any circumstances. This statement expressly satisfies the opt-out requirement of the CCPA/CPRA for California residents.

4.2. Service providers (data processors)

To operate the platform, GameFlow works with external providers that act as data processors on our behalf. These providers only have access to the data strictly necessary to provide their service and are contractually required to:

• Process the data exclusively in accordance with our instructions.
• Not use the data for their own purposes.
• Maintain adequate security measures.
• Respect the confidentiality of the information.

The types of providers we work with are:

• Cloud infrastructure and servers: handle technical data, IP addresses, and performance metrics for the purpose of hosting and operating game servers.
• Payment processor: receives billing and transaction data to process subscriptions and payments.
• Analytics tools: receive aggregated and anonymized usage data, used to improve the service and the dashboard.
• Security and anti-fraud: receive IP-address and access-pattern data, used for fraud detection and prevention.

4.3. Other permitted disclosures

Outside of the providers mentioned above, GameFlow will only share your personal data in the following exceptional cases:

• Legal obligation: when expressly required by a competent judicial or administrative authority, in accordance with Art. 5(a) of Law No. 8968.
• Protection of rights: when necessary to exercise or defend the legal claims of GameFlow or its users.
• Critical security: when there is a serious and imminent threat to the security of the platform or its users and the processing is indispensable to neutralize it.

In none of these cases will GameFlow disclose more information than is strictly necessary.

4.4. International transfers

Some of our infrastructure providers operate servers outside of Costa Rica. All international data transfers are carried out under contractual safeguards that ensure a level of protection equivalent to that required by Law No. 8968 and the GDPR, in accordance with Arts. 44–46 thereof.

V. Data Retention and Deletion

GameFlow retains personal data only for as long as necessary to fulfil the purposes described in this policy, after which it is deleted or anonymized. In accordance with Art. 6 of Law No. 8968, data is not retained for longer than ten (10) years, and specific retention periods are defined per category of data as required by the GDPR.

Detailed retention periods for each data category, along with our data-security measures (including two-factor authentication) and our use of cookies and performance technologies, are being finalized and will be published in an upcoming revision of this policy. For any question in the meantime, contact us at team@gameflow.gg.